P
US7707401B2ExpiredUtilityPatentIndex 91

Systems and methods for a protocol gateway

Assignee: QUEST SOFTWARE INCPriority: Jun 10, 2002Filed: Jun 10, 2003Granted: Apr 27, 2010
Est. expiryJun 10, 2022(expired)· nominal 20-yr term from priority
Inventors:MILLER RANDYPOLING ROBERTPUGH RICHARD SSHAPIRO DMITRY
H04L 41/0894H04L 67/564H04L 67/56H04L 67/14G06Q 20/027H04L 63/1408H04L 67/02H04L 63/102H04L 69/329H04L 63/0281H04L 7/00
91
PatentIndex Score
20
Cited by
119
References
30
Claims

Abstract

A protocol management system is capable of detecting certain message protocols and applying policy rules to the detected message protocols that prevent intrusion, or abuse, of a network's resources. In one aspect, a protocol message gateway is configured to apply policy rules to high level message protocols, such as those that reside at layer 7 of the ISO protocol stack.

Claims

exact text as granted — not AI-modified
1. A method for managing a communication protocol in a network, the method comprising:
 receiving at a firewall a plurality of messages from a computer network; 
 intercepting with an enforcer module executing on a computing device selected messages of the plurality of messages, the selected messages comprising each of the plurality of messages associated with an instant messaging protocol; 
 comparing the instant messaging protocol of each of the selected messages with at least one protocol template stored by the enforcer module, the instant messaging protocol of each selected message comprising (i) a screen name of a user originating the selected message and (ii) at least one of a source internet protocol (IP) address and a port number; 
 based on said comparing, redirecting to a protocol message gateway within the computer network each selected message having bypassed the protocol message gateway, wherein said redirecting comprises using a content vectoring protocol; 
 for each redirected selected message,
 identifying with an authentication module of the protocol message gateway a unique user name associated with the screen name of the user originating the redirected selected message, 
 based at least in part on the unique user name, selecting a policy rule for restricting the user's usage of the instant messaging protocol, and 
 applying the selected policy rule to the redirected selected message. 
 
 
     
     
       2. The method of  claim 1 , wherein the policy rule comprises a rule for restricting the user from sending or receiving a predefined number of instant messages within a given time period. 
     
     
       3. The method of  claim 1 , wherein said selecting the policy rule is based at least partly on the source of the redirected selected message. 
     
     
       4. The method of  claim 1 , wherein said selecting the policy rule is based at least partly on the intended destination internet protocol (IP) address of the redirected selected message. 
     
     
       5. The method of  claim 1 , wherein said selecting the policy rule is based at least partly on when the redirected selected message is sent or intended to be received. 
     
     
       6. The method of  claim 1 , wherein said selecting the policy rule is based at least partly on the size of the redirected selected message. 
     
     
       7. The method of  claim 1 , wherein the selection of the policy rule is based at least partly on whether the redirected selected message includes an attachment. 
     
     
       8. The method of  claim 1 , further comprising creating a log comprising information associated with the redirected selected message. 
     
     
       9. The method of  claim 1 , wherein said identifying further comprises:
 generating the unique user name for the user; 
 associating the screen name with the unique user name; and 
 storing in a database the association between the screen name and the unique user name. 
 
     
     
       10. The method of  claim 1 , wherein applying the selected policy rule comprises forcing the redirected selected message to use a defined communication connection when flowing into or out of the computer network. 
     
     
       11. The method of  claim 1 , wherein applying the selected policy rule comprises terminating a communication connection associated with the redirected selected message. 
     
     
       12. The method of  claim 1 , wherein applying the selected policy rule comprises resetting a communication connection associated with the redirected selected message. 
     
     
       13. The method of  claim 1 , wherein comparing the instant messaging protocol comprises determining whether the selected message is directed to port  5190 . 
     
     
       14. The method of  claim 1 , wherein comparing the instant messaging protocol comprises determining whether the selected message is directed to port  8080  and whether the selected message includes a string “?pword=%1”, wherein %1 represents a value maintained in a message traffic database. 
     
     
       15. The method of  claim 1 , wherein comparing the instant messaging protocol comprises determining whether the selected message includes a string of five characters in an incoming packet header, wherein the five characters represent a signature of the instant messaging protocol. 
     
     
       16. The method of  claim 1 , wherein comparing the instant messaging protocol comprises determining whether the selected message is directed to port  8080  and whether the selected message includes a string “?message=”. 
     
     
       17. The method of  claim 8 , further comprising encrypting the log. 
     
     
       18. The method of  claim 8 , further comprising restricting access to the log. 
     
     
       19. The method of  claim 9 , wherein said generating the unique user name comprises identifying a client device using the source internet protocol (IP) address. 
     
     
       20. The method of  claim 10 , wherein the defined communication connection is a defined port on the protocol message gateway associated with the computer network. 
     
     
       21. The method of  claim 19 , wherein determining the unique user name further comprises determining a global user identification associated with the client device. 
     
     
       22. The method of  claim 21 , wherein determining the global user identification comprises interrogating a registry associated with the client device. 
     
     
       23. A system for restricting usage of instant messaging in a network, the system comprising:
 a firewall operative to receive a plurality of messages leaving a computer network coupled to the firewall; 
 a proxy enforcer executing on a computing device and in communication with the firewall, the proxy enforcer operative to identify one or more of the plurality of messages that are associated with an instant messaging protocol, the instant messaging protocol comprising an application layer protocol; 
 a plurality of protocol definition files accessible to the proxy enforcer, wherein the proxy enforcer is further operative to compare the instant messaging protocol of each of the one or more messages with at least one of the plurality of protocol definition files; 
 a protocol message gateway in communication with the proxy enforcer, the proxy enforcer operative to redirect to the protocol message gateway each of the one or more messages that did not previously pass through the protocol message gateway prior to being received by the firewall; the protocol message gateway further comprising
 at least one protocol adapter operative to generate a data structure comprising information indicative of a communication session of each redirected message, 
 an authentication module operative to identify a unique user name based on a screen name associated with each redirected message, the unique user name identifying an actual user of the computer network, and 
 a policy enforcement module operative to select a policy rule for restricting the actual user's usage of the instant messaging protocol and to apply the selected policy rule to the redirected message. 
 
 
     
     
       24. The system of  claim 23 , wherein the policy enforcement module of the protocol message gateway is further operative to select the policy rule based at least partly on when the redirected message is originally sent or intended to be received. 
     
     
       25. The system of  claim 23 , wherein the policy enforcement module of the protocol message gateway is further operative to select the policy rule based at least partly on the size of the redirected message. 
     
     
       26. The system of  claim 23 , wherein the policy enforcement module of the protocol message gateway is further operative to select the policy rule based at least partly on whether the redirected message includes an attachment. 
     
     
       27. The system of  claim 23 , wherein the policy enforcement module of the protocol message gateway is further operative to select the policy rule based at least partly on whether the redirected message includes a virus. 
     
     
       28. The system of  claim 23 , wherein the protocol message gateway further comprises a logging module configured to record information associated with each of the redirected messages. 
     
     
       29. The system of  claim 23 , wherein the authentication module is further configured to
 determine the unique user name for the actual user; 
 associate the screen name with the unique user name; and 
 store in a database the association between the screen name and the unique user name. 
 
     
     
       30. The system of  claim 23 , wherein the firewall further comprises a content vectoring protocol application programming interface (API) operative to communicate the redirected messages to the protocol message gateway.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.